ESET, a global leader in cybersecurity, has investigated and identified a complex threat posed by a new strain of malware that has so far affected half a million users.

Dubbed as Stantinko, ESET analyzes this highly inconspicuous malware which tricks victims into downloading pirated software from fake torrent sites, and that has continually morphed to avoid detection for the last five years. Targeting mainly Russian speakers, Stantinko is a network of bots which is monetized by installing browser extensions that inject fake ads while surfing the web. Once installed on a machine it can perform massive Google searches anonymously and create fake accounts on Facebook with the capability to like pictures, pages and add friends.

A Modular Backdoor

Stantinko’s ability to evade anti-virus detection relies upon heavy obfuscation and hiding in plain sight inside code that looks legitimate. Using advanced techniques, malicious code is hidden either encrypted in a file or in the Windows Registry. It is then decrypted using a key generated during the initial compromise. Its malicious behavior can’t be detected until it receives new components from its command and control server, making it difficult to uncover.

Once a machine is infected, two harmful Windows services that launch every time the system is started are installed.

“It is difficult to get rid of once you have it, as each component service has the ability to reinstall the other in case one of them is deleted from the system. To fully eliminate the problem, the user has to delete both services from their machine at the same time,” explains Frédéric Vachon, Malware Researcher at ESET.

Once inside a device, Stantinko installs two browser plugins, both available on the Google Chrome Web Store – ‘The Safe Surfing’ and ‘Teddy Protection.’

“Both plugins were still available online during our analysis,” says Marc-Etienne Léveillé, Senior Malware Reseracher at ESET. “At first sight, they look like legitimate browser extensions and even have a website. However, when installed by Stantinko, the extensions receive a different configuration containing rules to perform click-fraud and ad injection.”

Once the malware has infiltrated, Stantinko’s operators can use flexible plugins to do anything they wish with the compromised system. These include conducting massive anonymous searches to find Joomla and WordPress sites, performing brute force attacks on these sites, finding and stealing data, and creating fake accounts on Facebook.

Details of the sites victim to brute force attacks can also be sold on the underground market after it is compromised by Stantinko, which guesses the passwords by trying thousands of different credentials. Although ESET Researchers couldn’t witness the malicious activity on the social network, operators of Stantinko have a tool that allows them to perform fraud on Facebook, selling ‘likes’ to illegitimately capture the attention of unsuspecting consumers.

‘The Safe Surfing’ and ‘Teddy Protection’ plugins are able to inject adverts or redirect the user.

“It allows Stantinko operators to be paid for the traffic they provide to these adverts. We even found users would reach the advertiser’s website directly through Stantinko-owned ads,” concludes Matthieu Faou, Malware Researcher at ESET.

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.